The article deals with information security risks in accordance with the basis of the type of impact on equipment and systems, The legal basis for the second direction of information security, protection of information, information resources, information systems, information security are governed, Protection of information systems against potential threats "fifth column". Thus, to ensure effective protection against internal information security violators. The use of non-certified information systems, databases and data banks, as well as non-certified means of information protection.
Security refers to the sustainability of all it components (operating system, services, applications, etc.) to attack, as well as providing a standard set of properties: confidentiality, integrity and availability.
It should be noted that privacy as part of Trustworthy Computing is a slightly different concept than from a security point of view. Microsoft in this case meant that every user must manage their documents and the rights to carry out the activity with them. The same applies to the real-time web services and other services that support the communication.
Reliability implies that the user can gain access to resources when necessary, and must also be sure that the expected level.
Finally, business integration is, first and foremost, aid users in finding the required solutions. It is not enough to say: ' Take the first, second, third, etc.-and use ". You want to tell and teach how to do it. In particular, how to ensure the security of your IT infrastructure. We have already described the concept of Trustworthy Computing on the pages of our site, so now let's consider only those points that are relevant in our context. It is, first and foremost, Microsoft Security Framework.It should be noted that under the loud marketing name hides the formula that Microsoft has recorded as: SD3 + C (Security By Design, Security By Default, Security By Deployment and Communications).
Merit software giant, in our view, is precisely that he was able to formalize those basic principles that many experienced system administrators and users of a client-server application architecture understood intuitively, but to convey to the general public or the developers could not (in the end, it's not their job). Thus, Microsoft, as a representative of the developers, has formulated some basic techniques that we can observe today in its products.
The brainchild of Microsoft Trustworthy Computing and Security Framework became Windows Server 2003. Its developer says that this is a product whose safety was founded when designing, that from the outset, implements the minimal functionality and the minimum necessary privileges. In addition to the system comes a number of tools that allow you to manage processes it security. For example, MBSA (Microsoft Baseline Security Analyzer), SUS (Software Update Services), WU (Windows Update) etc. is not to say that Windows Server 2003 is better than, for example, a particular Linux distro, but what better Windows 2000 Server-that's for sure.
While working on the latest version of the server OS software giant, in our opinion, played on some political and social hot around security issues. Some users are missing, that Microsoft had started to seriously address the issue of it security only after the events of 11 September, freezing the development of Windows Server 2003 for 6 months and code audit.
Finally Microsoft has released the book "Writing Secure Code" (secure code), which described the formal principles, useful for application architects, developers, QA staff, etc.
It is interesting to note that in the finals of each developer, system administrator and any other professionals providing security information system, it is necessary to answer the question: "how safe is built?". Here you can reply: "fairly safe" or simply "Safely". But to evaluate this option, you must understand what "adequate security". Best to provide "adequate security" allows the following figure illustrates the balance of compromises from the theory of risk management:
On the one hand provided security, and, on the other hand, the total value of option and practicality. As you can see, it's oxymoronic entity. But to correctly place the slider on the scale and properly assess the risks, you should undertake a range of activities: assess existing strengths, identify risks, analyze them and prioritize, conduct monitoring and planning, and complete all the execution and auditing. Thus, we move on to the next section.
The threat model and process for it security
Threat modeling always begins with some general scheme, which equally is represented in almost every it security tutorial or most web resources on this topic. We offer start from the next pretty compact model.
Portal for information security and information protection, The urgency of the problem of security in information systems, Information security-the key to successful, increasingly important day, comparable to the cost of most often, The importance of information security today is hard to underestimate. Every day we use the Internet and other network technologies, Therefore, information security is paid to attention more than now, since cases of loss or theft of information.